David Woodhouse [Fri, 20 Sep 2013 05:41:57 +0000 (00:41 -0500)]
Fix outdated autohate files in release tarballs
Remove --copy and add --force. We'll end up with symlinks to the original
libtool/automake files which will thus remain up to date, and shouldn't
get old files in release tarballs any more.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 19 Sep 2013 18:30:03 +0000 (13:30 -0500)]
Include string.h where needed
This fixes the Solaris build; reported by "Rodney".
Also clean up #includes in compat.c; there's no need for them to be
hidden within the various ifdef blocks. Leave <sys/time.h> where it was,
just in case it's problematic on some platform. The rest are already
included unconditionally in other files, so should be fine.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 31 May 2013 13:12:59 +0000 (14:12 +0100)]
Use gnutls_pubkey_verify_data2() only if we have gnutls_pk_to_sign()
We need gnutls_pk_to_sign(), and gnutls_pubkey_verify_data() wasn't
deprecated until that arrived. So it's the correct thing to check for,
instead of just checking for gnutls_pubkey_verify_data2() itself.
Thanks to Jörg Mayer for reporting the build failure on openSUSE 12.1
with GnuTLS 3.0.3.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 30 May 2013 12:40:52 +0000 (13:40 +0100)]
When falling back to non-xmlpost, revert to original URL
If the XML POST attempt ended up being redirected, we don't want to stay
at that location when we fall back to the old method. We want to start
again from scratch.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 24 May 2013 22:42:14 +0000 (23:42 +0100)]
Close https connection when falling back to non-xmlpost mode
Some servers will continue to respond with a redirect, even redirecting a
request back to the *same* URL that was requested, unless we close the
connection and try again.
Red Hat bug #964650.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 21 May 2013 07:45:50 +0000 (08:45 +0100)]
Close HTTPS socket after various errors
This avoids leaving the socket in an unknown state. We were attempting to
send a request with a stale or out-of-sync socket, and that would make
the *next* request fail too, when it should have opened a new connection
for itself.
We should also make do_https_request() notice that and actually retry for
itself when it fails to even *send* the request, if it was re-using an
already open socket. But currently it doesn't *know* if it's re-using a
socket so that'll require a little more work.
Kevin Cernekee [Mon, 25 Mar 2013 01:14:02 +0000 (18:14 -0700)]
android: Remove dependency on files outside the openconnect repo
The Android build tries to run "git clone --reference ../../../gnutls".
This only works if the user happens to have another copy of the gnutls
repo in the right place.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Kevin Cernekee [Mon, 25 Mar 2013 01:13:58 +0000 (18:13 -0700)]
Fix token-related command line options
Aliasing --stoken to --token-secret is not effective because token_mode
does not get set. Might as well just drop --stoken.
For --token-mode, change "stoken" to "rsa" to make the UI more intuitive:
liboath provides TOTP token support, and libstoken provides RSA token
support.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Kevin Cernekee [Mon, 25 Mar 2013 01:13:57 +0000 (18:13 -0700)]
Get rid of LIBSTOKEN_HDR and LIBOATH_HDR
Unlike libproxy, these two libraries have well-defined names for their
respective header files. So include the headers by name, and use
HAVE_LIBSTOKEN / HAVE_LIBOATH for compile-time tests.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Kevin Cernekee [Mon, 25 Mar 2013 01:13:56 +0000 (18:13 -0700)]
Tweak liboath ./configure help text for consistency
Was:
--with-gnu-ld assume the C compiler uses GNU ld [default=no]
--with-sysroot=DIR Search for dependent libraries within DIR
(or the compiler's sysroot if not specified).
--without-libproxy Build without libproxy library [default=auto]
--without-stoken Build without libstoken library [default=auto]
--without-liboath Build without liboath library (default: test)
Now:
--with-gnu-ld assume the C compiler uses GNU ld [default=no]
--with-sysroot=DIR Search for dependent libraries within DIR
(or the compiler's sysroot if not specified).
--without-libproxy Build without libproxy library [default=auto]
--without-stoken Build without libstoken library [default=auto]
--without-liboath Build without liboath library [default=auto]
Signed-off-by: Kevin Cernekee <cernekee@gmail.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Mar 2013 14:02:01 +0000 (14:02 +0000)]
Enable shared libopenconnect for Android build
We'll definitely want to use it from Java code for the authentication stage.
Not entirely sure yet how we'll invoke the main loop — perhaps by executing
the openconnect executable, but we *could* also invoke the main loop directly
from a Java process too. That might simplify the issue of protecting the
network sockets.
This ends up pulling libxml into libopenconnect.so, so the openconnect
executable gets it from there. Which isn't an ideal setup for the general
case but it's fairly convenient on Android.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 10 Mar 2013 21:01:53 +0000 (21:01 +0000)]
Clean up CSD invocation for XML POST
We don't use a CSD trojan to download; we *require* a local wrapper.
Theoretically we ought to be able to invoke a 'real' Cisco hostscan
tool. We ought to fix the command line arguments for that but let's keep
it simple for now. Just keep the command line exactly the same as for
wrapping the trojan, with an empty string where the name of the
downloaded file would be.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 10 Mar 2013 19:00:04 +0000 (19:00 +0000)]
CSD stub URL is optional
The recent change in commit b6ef1c86b6d29684e5a24b62e19827afafec13ed ('Fix
CSD trojan download') was wrong; for the XML POST case we don't necessarily
get handed a trojan to download. We're expected to have a local 'wrapper'
script which will act like a locally-installed 'hostscan'.
The wait URL *is* required though.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 4 Mar 2013 00:45:21 +0000 (00:45 +0000)]
Destroy vpninfo->https_cred on failing to create it
If something like certificate setup went wrong, we'd return failure but
*not* destroy the gnutls_certificate_credentials_t that we were
attempting to set up. So a subsequent retry would see that it already
exists, assume it's *fine* and just go ahead and use it. Don't do that.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 4 Mar 2013 00:28:08 +0000 (00:28 +0000)]
Handle redirects in attempting simple auth GET too
If the XML POST fails and we try a GET, we need to handle redirects for
that too. So re-use the same loop. Except the bit about not allowing local
redirects. Why do we do that for the XML POST case anyway?
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 22 Feb 2013 12:42:07 +0000 (12:42 +0000)]
Fix hostname canonicalisation to stop breaking certifcate checks
Commit b0b4b34f ('Canonicalise hostname during authentication if necessary')
replaces the hostname with a bare IP address if necessary, so that
reconnecting is guaranteed to get the *same* host from a round-robin and
comparing the SSL cert with its previous SHA1 fingerprint (which is how we
do it for two-stage connection for example from NetworkManager) is
guaranteed to work.
However, this breaks certificate auth when invoked in one-stage mode from
the command line to authenticate *and* actually make the connection. When
vpninfo->hostname is replaced with a bare IP address, that might not
actually be what's listed in the certificate's Subject or Altname fields.
So users have reported a certificate validation failure on *reconnecting*
to the server which was acceptable the first time round when we looked it
up by name.
So, don't actually replace vpninfo->hostname at all. Introduce a new field
vpninfo->unique_hostname which is returned by openconnect_get_hostname(),
and leave vpninfo->hostname as it was.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Kevin Cernekee [Sun, 17 Feb 2013 00:18:07 +0000 (16:18 -0800)]
auth: stoken: Fix handling of "Next TOKENCODE" prompt
This needs to allow for input elements named "answer" instead of
"password", and it needs to check form->message instead of the label
attribute for the "Next TOKENCODE" prompt.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Kevin Cernekee [Sun, 17 Feb 2013 00:18:06 +0000 (16:18 -0800)]
http: Fix redirect handling in auth form loop
The gateway may ask the user to fill out different forms that live at
different URLs, e.g.
GET /+webvpn+/index.html
(returns <form method="post" action="/+webvpn+/index.html"> and
username/password form elements)
POST /+webvpn+/index.html
(returns <form method="post" action="/+webvpn+/login/challenge.html">
and challenge/response form elements)
POST /+webvpn+/login/challenge.html
(returns <auth> node with valid cookie)
The refactored openconnect_obtain_cookie() loop tried to post the
challenge/response data to index.html, preventing successful login. This
patch changes the logic so that it will honor the new "action" attribute
if present.
This probably does not affect XML POST mode, because XML POST <form> tags
do not seem to use attributes.
Reported-by: Fabian Jäger <fabian.jaeger@chungwasoft.com> Signed-off-by: Kevin Cernekee <cernekee@gmail.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Kevin Cernekee [Sun, 17 Feb 2013 00:18:05 +0000 (16:18 -0800)]
auth: Implement special handling of password fields on XML POST
The Cisco AnyConnect client exhibits some quirky behavior on fields
with certain names:
For "answer", "whichpin", and "new_password", the field is renamed to
"password" in the submission.
For "verify_pin" and "verify_password", the field is omitted entirely.
One might expect the client to perform a comparison to see if the first
password/PIN field matches the verify_* field, but in my testing, I didn't
actually see it doing so.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
projects / users / dwmw2 / openconnect.git / log